Bug 1364993 - MS-KKDCP with TLS SNI requires HTTP Host header
Summary: MS-KKDCP with TLS SNI requires HTTP Host header
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: Kaleem
URL: https://github.com/krb5/krb5/pull/507
Whiteboard:
Depends On: 1365027
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-08 10:30 UTC by Abhijeet Kasurde
Modified: 2016-11-03 20:26 UTC (History)
4 users (show)

Fixed In Version: krb5-1.14.1-24.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1365027 1365028 1365029 1365030 (view as bug list)
Environment:
Last Closed: 2016-11-03 20:26:17 UTC
Target Upstream Version:


Attachments (Terms of Use)
Remove TLS SNI from MIT KRB5 (544 bytes, patch)
2016-08-09 12:57 UTC, Christian Heimes
no flags Details | Diff
console.log (14.37 KB, text/plain)
2016-08-11 11:21 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2591 0 normal SHIPPED_LIVE Low: krb5 security, bug fix, and enhancement update 2016-11-03 12:10:29 UTC

Description Abhijeet Kasurde 2016-08-08 10:30:22 UTC
Description of problem:
When IPA client is configured with KKDCP, kinit fails with error

[root@ipaclient73kdc2 /]# KRB5_TRACE=/dev/stdout kinit mytestuser@TESTRELM.TEST
[8719] 1470629617.922276: Getting initial credentials for mytestuser@TESTRELM.TEST
[8719] 1470629617.922387: Sending request (174 bytes) to TESTRELM.TEST
[8719] 1470629617.922454: Resolving hostname ipamaster73kdc2.testrelm.test
[8719] 1470629617.922666: Initiating TCP connection to stream 192.168.121.125:88
[8719] 1470629617.933601: Terminating TCP connection to stream 192.168.121.125:88
[8719] 1470629617.933625: Sending initial UDP request to dgram 192.168.121.125:88
kinit: Cannot contact any KDC for realm 'TESTRELM.TEST' while getting initial credentials

On Server

[root@ipamaster73kdc2 ~]# tail -f /var/log/httpd/error_log 
[Mon Aug 08 09:39:22.766065 2016] [:error] [pid 24448] Hostname ipamaster73kdc2.testrelm.test provided via SNI, but no hostname provided in HTTP request

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-5.el7.x86_64
ipa-client-4.4.0-5.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install IPA server
2. Enable KDCProxy in IPA server
3. Try to login as IPA user using IPA Client with kinit

Actual results:
Kinit fails to find KDC server due to mismatch is SNI and HTTP HOSTNAME header

Expected results:
kinit should be successful.

Additional info:
https://marc.info/?l=krb5-cvs&m=143300114416062&w=2
Similar to https://www.redhat.com/archives/pki-devel/2015-November/msg00029.html

Comment 1 Christian Heimes 2016-08-08 10:44:23 UTC
I submitted a patch with TLS SNI support in https://github.com/krb5/krb5/commit/4b6045adb7a044cd7ddc3987da2f26bf8a5281fe. Back then I did not notice the problem because I tested against a mod_nss version without TLS SNI support. I was neither aware that mod_nss did not support SNI yet not that Apache requires a HTTP Host header for TLS requests with SNI.

I have a submitted a patch to MIT KRB5: https://github.com/krb5/krb5/pull/507. The patch also added port number to Host header so name based and port based virtual hosting works with MS-KKDCP requests.

Comment 4 Christian Heimes 2016-08-09 12:57:19 UTC
Created attachment 1189253 [details]
Remove TLS SNI from MIT KRB5

The patch reverts https://github.com/tiran/krb5/commit/2d66309ef78aeff8df78c81a9d32c1a7e4857f63 and removes the call to SSL_set_tlsext_host_name(). Without the function call the Kerberos client no longer sends a TLS SNI extension in the TLS/SSL handshake for MS-KKDCP. This removes the root cause of the issue.

The alternative patch is simpler and less risky than https://github.com/krb5/krb5/pull/507 because it just removes some code and doesn't introduce new code. We don't loose any functionality. Without the HTTP Host header TLS SNI is broken anyway.

Comment 5 Christian Heimes 2016-08-09 13:00:04 UTC
PS: Attachment 1189253 [details] is a workaround until PR 507 has been reviewed and landed in upstream.

Comment 6 Christian Heimes 2016-08-09 15:09:29 UTC
Patrick and I have confirmed that my patch https://github.com/krb5/krb5/pull/507 solves the issue on Fedora 24. A scratch build is available on koji http://koji.fedoraproject.org/koji/taskinfo?taskID=15189064

Comment 7 Robbie Harwood 2016-08-10 21:39:23 UTC
Thanks Christian!

Comment 10 Abhijeet Kasurde 2016-08-11 11:21:08 UTC
Verified using IPA version ::
ipa-server-4.4.0-7.el7.x86_64

There are no messages like 
'Hostname <HOSTNAME> provided via SNI, but no hostname provided in HTTP request'

in /var/log/httpd/error_log


Attaching console.log. Marking BZ as verified.

Comment 11 Abhijeet Kasurde 2016-08-11 11:21:34 UTC
Created attachment 1190030 [details]
console.log

Comment 13 errata-xmlrpc 2016-11-03 20:26:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2591.html


Note You need to log in before you can comment on or make changes to this bug.